small-logo
Need help now? Call 216.321.7774

Crisis Communications – How Not To Do It

Matt Hodges-Long looks at the recent WHSmith ‘data breach’ story and explains how the retailer could have better handled its crisis communications.

At approximately 00:17 on September 2nd the well-known British retailer WHSmith started to erroneously email its customers email addresses and telephone numbers to other customers in its database. We don’t know when WHSmith were made aware of the problem but we do know that they started to receive @mentions via Twitter from around 8am. From that point the ‘data breach’ story went viral on social media and was soon picked up by the BBC and other mainstream news outlets.

So in the immediate few hours after the breach how did WHSmith deal with the crisis to protect its customers’ interests and its own corporate reputation? In a word: badly.

After a prolonged period of silence WHSmith management started briefing (to the traditional media) against a third party supplier called I-Subscribe: in effect they attempted to ‘pass the buck’. They also tried to split hairs by stating that they had not experienced a data breach but rather a ‘bug’. What they probably meant to say is that they were not hacked. Perhaps they should have looked at the ICO’s definition of a Data Breach: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

At around 1pm on September 2nd WHSmith issued a statement on their Facebook page and cross linked it to their Twitter feed. Here is the post: “We have been alerted to a systems bug by I-subscribe who manage our magazine subscriptions. This is not a data breach. We can confirm that this has impacted 22 customers. I-subscribe have immediately taken down this online form and are contacting the customers concerned to apologise for this administrative error. This issue has not impacted or compromised any customer passwords or payment details.”

This statement is probably one of the worst ‘official’ statements I have come across, and in my view is way below what could pass as acceptable from a Plc with a brand to protect, here is why…

To read the rest of this article, please click here.


By | September 15, 2015 | Apologies, Crisis Communications, Reputation Management

Contact Us

Your name Organization name Describe your situation Your phone number Your email address
Leave this as it is